Engage Goals: EGO0001 Expose, SGO0002 Understand
Engage Approach: EAP0002 Detect, EAP0004 Direct, SAP0002 Analyze
Engage Actions: EAC0005 Lures, EAC0012 Personas, EAC0015 Information Manipulation, SAC0002 Persona Creation, SAC0012 Engagement Environment
Name of Element: Deceptive User Account with Canary Tokens
Description of Element:
What is the goal of this operation: To identify and track unauthorized access attempts by luring adversaries towards a deceptive user account embedded with canary tokens.
Whats the approach of this operation or element? This element focuses on detecting any interaction with the deceptive user account and its associated canary tokens, directing the attacker’s attention towards this decoy, and analyzing their actions to understand their techniques and objectives.
This active defense element involves creating a deceptive user account within the Active Directory environment. This account appears as a regular employee with access to seemingly valuable resources and information. However, the account is embedded with various canary tokens – these are subtle triggers that alert defenders upon any interaction.
Technical Context:
The deceptive user account is configured with:
- Convincing Persona: A realistic digital persona is crafted for the account, including a believable name, job title, department, and online presence.
- Luring Access: The account has access to files, folders, or applications that appear valuable to attackers, but in reality, contain false information or are instrumented with canary tokens.
- Diverse Canary Tokens: Various types of canary tokens are employed, including:
- Fake Documents: Documents with embedded tracking pixels or unique filenames.
- Hidden Folders: Folders with specific names or permissions that trigger alerts upon access.
- Decoy Credentials: Credentials stored within the account profile that, when used, trigger an alert.
- Centralized Monitoring: All canary token triggers are monitored and logged to a central security information and event management (SIEM) system.
Other:
This deceptive user account can be used to:
- Detect lateral movement: Identify attackers who have already gained initial access and are attempting to escalate privileges or move laterally within the network.
- Gather attacker information: Collect information about the attacker’s IP address, tools, and techniques.
- Delay attackers: Distract attackers and slow down their progress while defenders respond to the intrusion.
Additional Considerations:
- Realism: Ensure the user account and its associated persona appear legitimate to avoid suspicion.
- Account Hygiene: Regularly maintain the account to ensure it remains consistent with the established persona and organizational changes.
- Integration with Threat Intelligence: Correlate canary token triggers with threat intelligence to identify potential attacker motivations and affiliations.
This deceptive user account with canary tokens is a versatile active defense element that can be used to proactively detect and respond to intrusions, gather attacker information, and enhance the overall security posture of an organization.